From 002fad72c424be165ccb2e81295db885ad633b8a Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sun, 24 Jul 2011 21:54:10 +0200 Subject: [PATCH 01/29] dom0+vm: Polishing qvm-dom0-upgrade (#287) Do not print error message when no package downloaded. Also some more covenient usage when dowloading new packages (implied --resolve --nogui). --- common/qubes_download_dom0_updates.sh | 19 +++++++++++++++---- dom0/qvm-tools/qvm-dom0-upgrade | 13 +++++++++---- 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/common/qubes_download_dom0_updates.sh b/common/qubes_download_dom0_updates.sh index 8ca153ef..1b1ea0bc 100755 --- a/common/qubes_download_dom0_updates.sh +++ b/common/qubes_download_dom0_updates.sh @@ -28,6 +28,8 @@ PKGLIST="$*" if [ "x$PKGLIST" = "x" ]; then echo "Checking for dom0 updates..." PKGLIST=`yum --installroot $DOM0_UPDATES_DIR check-update -q | cut -f 1 -d ' '` +else + PKGS_FROM_CMDLINE=1 fi if [ -z "$PKGLIST" ]; then @@ -35,23 +37,32 @@ if [ -z "$PKGLIST" ]; then exit 0 fi -if [ "$DOIT" != "1" ]; then +if [ "$DOIT" != "1" -a "$PKGS_FROM_CMDLINE" != "1" ]; then PKGCOUNT=`echo $PKGLIST|wc -w` zenity --question --title="Qubes Dom0 updates" \ --text="$PKGCOUNT updates for dom0 available. Do you want to download its now?" || exit 0 fi +if [ "$PKGS_FROM_CMDLINE" == 1 ]; then + OPTS="--resolve" + GUI=0 +fi + mkdir -p "$DOM0_UPDATES_DIR/packages" set -e if [ "$GUI" = 1 ]; then ( echo "1" - yumdownloader --destdir "$DOM0_UPDATES_DIR/packages" --installroot "$DOM0_UPDATES_DIR" $PKGLIST + yumdownloader --destdir "$DOM0_UPDATES_DIR/packages" --installroot "$DOM0_UPDATES_DIR" $OPTS $PKGLIST echo 100 ) | zenity --progress --pulsate --auto-close --auto-kill \ --text="Downloading updates for Dom0, please wait..." --title="Qubes Dom0 updates" else - yumdownloader --destdir "$DOM0_UPDATES_DIR/packages" --installroot "$DOM0_UPDATES_DIR" $PKGLIST + yumdownloader --destdir "$DOM0_UPDATES_DIR/packages" --installroot "$DOM0_UPDATES_DIR" $OPTS $PKGLIST fi -/usr/lib/qubes/qrexec_client_vm dom0 qubes.ReceiveUpdates /usr/lib/qubes/qfile-agent $DOM0_UPDATES_DIR/packages/*.rpm +if ls $DOM0_UPDATES_DIR/packages/*.rpm > /dev/null 2>&1; then + /usr/lib/qubes/qrexec_client_vm dom0 qubes.ReceiveUpdates /usr/lib/qubes/qfile-agent $DOM0_UPDATES_DIR/packages/*.rpm +else + echo "No packages downloaded" +fi diff --git a/dom0/qvm-tools/qvm-dom0-upgrade b/dom0/qvm-tools/qvm-dom0-upgrade index d132009c..1f496f6a 100755 --- a/dom0/qvm-tools/qvm-dom0-upgrade +++ b/dom0/qvm-tools/qvm-dom0-upgrade @@ -14,8 +14,13 @@ qvm-run -a $UPDATEVM true || exit 1 qvm-run --pass_io $UPDATEVM "/usr/lib/qubes/qubes_download_dom0_updates.sh $*" || exit 1 # Wait for download completed while pidof -x qubes-receive-updates >/dev/null; do sleep 0.5; done -yum check-update -if [ $? -ne 100 ]; then - exit 0 +if [ $# -gt 0 ]; then + echo "You can now install downloaded packages (eg. using yum)" +elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then + yum check-update + if [ $? -eq 100 ]; then + gpk-update-viewer + fi +else + echo "No updates avaliable" fi -gpk-update-viewer From 174f5c3c8d1aaee08fe955ae99966ab1ddf02c31 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Mon, 25 Jul 2011 15:29:37 +0200 Subject: [PATCH 02/29] version 1.6.12 --- version_dom0 | 2 +- version_vm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/version_dom0 b/version_dom0 index 99c026bd..9e7398a3 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.6.11 +1.6.12 diff --git a/version_vm b/version_vm index 99c026bd..9e7398a3 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.6.11 +1.6.12 From 3df2e9783dc392b165b79f85938429e1b8ff2d3d Mon Sep 17 00:00:00 2001 From: Rafal Wojtczuk Date: Tue, 26 Jul 2011 16:36:59 +0200 Subject: [PATCH 03/29] dispvm: when updating savefile on demand, present zenity progress bar --- dom0/restore/qfile-daemon-dvm | 3 +-- .../qubes_update_dispvm_savefile_with_progress.sh | 14 ++++++++++++++ rpm_spec/core-dom0.spec | 2 ++ 3 files changed, 17 insertions(+), 2 deletions(-) create mode 100755 dom0/restore/qubes_update_dispvm_savefile_with_progress.sh diff --git a/dom0/restore/qfile-daemon-dvm b/dom0/restore/qfile-daemon-dvm index 04a811f3..c03a6cba 100755 --- a/dom0/restore/qfile-daemon-dvm +++ b/dom0/restore/qfile-daemon-dvm @@ -109,8 +109,7 @@ class QfileDaemonDvm: def get_dvm(self): if not self.dvm_setup_ok(): - self.tray_notify("Updating DisposableVM savefile, please wait", 120000) - if os.system("qvm-create-default-dvm --default-template --default-script >/var/run/qubes/qvm-create-default-dvm.stdout /dev/null /var/run/qubes/qvm-create-default-dvm.stdout Date: Tue, 26 Jul 2011 17:09:59 +0200 Subject: [PATCH 04/29] dispvm: honour current choice of template for dispvm ... when auto-refreshing the dispvm savefile. While at it, also copy dispvm-prerun.sh script in qvm-clone. --- dom0/qvm-core/qubes.py | 7 +++++++ ...qubes_update_dispvm_savefile_with_progress.sh | 2 +- dom0/restore/qvm-create-default-dvm | 16 +++++++++++----- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index ab4c594e..26f32f46 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1137,6 +1137,13 @@ class QubesTemplateVm(QubesVm): if retcode != 0: raise IOError ("Error while copying {0} to {1}".\ format(self.clean_volatile_img, self.volatile_img)) + + if verbose: + print "--> Copying the template's DispVM prerun script..." + retcode = subprocess.call (["cp", src_template_vm.dir_path + '/dispvm-prerun.sh', self.dir_path + '/dispvm-prerun.sh']) + if retcode != 0: + raise IOError ("Error while copying DispVM prerun script") + if verbose: print "--> Copying the template's appmenus templates dir:\n{0} ==>\n{1}".\ format(src_template_vm.appmenus_templates_dir, self.appmenus_templates_dir) diff --git a/dom0/restore/qubes_update_dispvm_savefile_with_progress.sh b/dom0/restore/qubes_update_dispvm_savefile_with_progress.sh index 74155ec5..aaaa5578 100755 --- a/dom0/restore/qubes_update_dispvm_savefile_with_progress.sh +++ b/dom0/restore/qubes_update_dispvm_savefile_with_progress.sh @@ -3,7 +3,7 @@ trap "exit 1" USR1 TERM export SHELL_PID=$$ ( echo "1" - if ! qvm-create-default-dvm --default-template --default-script >/var/run/qubes/qvm-create-default-dvm.stdout /var/run/qubes/qvm-create-default-dvm.stdout Date: Fri, 29 Jul 2011 12:12:15 +0200 Subject: [PATCH 05/29] Correct usage of "date -s" when syncing clock in dom0 Apparently, "date -s" does not like the output of "date +%s.%N". While at it, add basic date format sanitization. --- dom0/aux-tools/qubes-watch-updates.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/dom0/aux-tools/qubes-watch-updates.sh b/dom0/aux-tools/qubes-watch-updates.sh index 9f5111f6..f1532bc6 100755 --- a/dom0/aux-tools/qubes-watch-updates.sh +++ b/dom0/aux-tools/qubes-watch-updates.sh @@ -58,9 +58,13 @@ while true; do done # At the end synchronize clock - UNTRUSTED_CURRENT_TIME="`$QREXEC_CLIENT -d $UPDATES_VM 'user:date +%s.%N'`" - # I believe that date has safe input parsing... - sudo date -s "$UNTRUSTED_CURRENT_TIME" + + # dd is supposed to not allow memory exhaustion + # grep does basic sanity checking + # there seems to be no way to pass output of date +%s.%N to date, + # so we use human-readable format + CURRENT_TIME="$($QREXEC_CLIENT -d $UPDATES_VM 'user:date -u' | dd count=1 2>/dev/null | grep '^[A-Za-z]* [A-Za-z]* [0-9]* [0-9][0-9]:[0-9][0-9]:[0-9][0-9] UTC [0-9][0-9][0-9][0-9]$'|head -1)" + if [ -n "$CURRENT_TIME" ] ; then sudo date -u -s "$CURRENT_TIME" ; fi sleep $UPDATES_SLEEP done From 8ecd6134d934946c7497a481ca9cf9dcca789ae2 Mon Sep 17 00:00:00 2001 From: Rafal Wojtczuk Date: Fri, 29 Jul 2011 16:50:12 +0200 Subject: [PATCH 06/29] firewall: call iptables-restore once per domain (#311) qubes.py now places rules for each domain in a separate key under /local/domain/fw_XID/qubes_iptables_domainrules/ plus the header in /local/domain/fw_XID/qubes_iptables_header. /local/domain/fw_XID/qubes_iptables is now just a trigger. So, if iptables-restore fails dues to e.g. error resolving a domain name in a rules for a domain, then only this domain will not get connectivity, others will work fine. --- dom0/qvm-core/qubes.py | 14 +++++++------ proxyvm/bin/qubes_firewall | 40 ++++++++++++++++++++------------------ 2 files changed, 29 insertions(+), 25 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 26f32f46..fa68b161 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1459,6 +1459,7 @@ class QubesProxyVm(QubesNetVm): "{0}".format(self.netvm_vm.get_xid())) def write_iptables_xenstore_entry(self): + xs.rm('', "/local/domain/{0}/qubes_iptables_domainrules".format(self.get_xid())) iptables = "# Generated by Qubes Core on {0}\n".format(datetime.now().ctime()) iptables += "*filter\n" iptables += ":INPUT DROP [0:0]\n" @@ -1477,9 +1478,12 @@ class QubesProxyVm(QubesNetVm): iptables += "-A FORWARD -i vif0.0 -j ACCEPT\n" # Deny inter-VMs networking iptables += "-A FORWARD -i vif+ -o vif+ -j DROP\n" + iptables += "COMMIT\n" + xs.write('', "/local/domain/{0}/qubes_iptables_header".format(self.get_xid()), iptables) vms = [vm for vm in self.connected_vms.values()] for vm in vms: + iptables="*filter\n" if vm.has_firewall(): conf = vm.get_firewall_conf() else: @@ -1522,16 +1526,14 @@ class QubesProxyVm(QubesNetVm): iptables += "-A FORWARD -i vif{0}.+ -p icmp -j ACCEPT\n".format(xid) iptables += "-A FORWARD -i vif{0}.+ -j {1}\n".format(xid, default_action) - - iptables += "#End of VM rules\n" - iptables += "-A FORWARD -j DROP\n" - - iptables += "COMMIT" + iptables += "COMMIT\n" + xs.write('', "/local/domain/"+str(self.get_xid())+"/qubes_iptables_domainrules/"+str(xid), iptables) + # no need for ending -A FORWARD -j DROP, cause default action is DROP self.write_netvm_domid_entry() self.rules_applied = None - xs.write('', "/local/domain/{0}/qubes_iptables".format(self.get_xid()), iptables) + xs.write('', "/local/domain/{0}/qubes_iptables".format(self.get_xid()), 'reload') def get_xml_attrs(self): attrs = super(QubesProxyVm, self).get_xml_attrs() diff --git a/proxyvm/bin/qubes_firewall b/proxyvm/bin/qubes_firewall index fbac2959..13f5ba24 100755 --- a/proxyvm/bin/qubes_firewall +++ b/proxyvm/bin/qubes_firewall @@ -3,9 +3,9 @@ set -e PIDFILE=/var/run/qubes/qubes_firewall.pid XENSTORE_IPTABLES=qubes_iptables +XENSTORE_IPTABLES_HEADER=qubes_iptables_header XENSTORE_ERROR=qubes_iptables_error OLD_RULES="" - # PIDfile handling [[ -e $PIDFILE ]] && kill -s 0 $(<$PIDFILE) 2>/dev/null && exit 0 echo $$ >$PIDFILE @@ -13,24 +13,26 @@ echo $$ >$PIDFILE trap 'exit 0' SIGTERM while true; do - RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) - - if [[ "$RULES" != "$OLD_RULES" ]]; then - IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') - OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :` - /usr/bin/xenstore-write $XENSTORE_ERROR "$OUT" - if [ "$OUT" ]; then - DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : - fi - - if [[ -z "$OUT" ]]; then - # If OK save it for later - /sbin/service iptables save >/dev/null - fi - - OLD_RULES="$RULES" - fi - # Wait for changes in xenstore file /usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES + TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) + + if ! [ "$TRIGGER" = "reload" ]; then continue ; fi + RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES_HEADER) + IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') + OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :` + + for i in $(xenstore-list qubes_iptables_domainrules) ; do + RULES=$(/usr/bin/xenstore-read qubes_iptables_domainrules/"$i") + ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || :` + OUT="$OUT""$ERRS" + done + /usr/bin/xenstore-write $XENSTORE_ERROR "$OUT" + if [ "$OUT" ]; then + DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : + fi + if [[ -z "$OUT" ]]; then + # If OK save it for later + /sbin/service iptables save >/dev/null + fi done From 4dde8f8661cf8bff817f6a3a147d413d8efcd190 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Sat, 30 Jul 2011 11:15:47 +0200 Subject: [PATCH 07/29] vm: Blacklist unnecessary packge updates --- rpm_spec/core-commonvm.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec index ad7b3009..791ea7bf 100644 --- a/rpm_spec/core-commonvm.spec +++ b/rpm_spec/core-commonvm.spec @@ -214,6 +214,9 @@ mkdir -p /rw #mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig #grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 +# Prevent unnecessary updates in VMs: +echo 'exclude = kernel, xorg-*' >> yum.conf + %preun if [ "$1" = 0 ] ; then # no more packages left From 7a12cbd0e8c8527fd5bbc7c734c664c7864465b6 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Sat, 30 Jul 2011 11:20:11 +0200 Subject: [PATCH 08/29] Dom0: restart ehci_hcd module on resume for all netvms (#299) --- dom0/pm-utils/01qubes-suspend-netvm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dom0/pm-utils/01qubes-suspend-netvm b/dom0/pm-utils/01qubes-suspend-netvm index d6e362d1..a206fc84 100755 --- a/dom0/pm-utils/01qubes-suspend-netvm +++ b/dom0/pm-utils/01qubes-suspend-netvm @@ -16,7 +16,7 @@ get_running_netvms() { suspend_net() { for VM in `get_running_netvms`; do - qvm-run -u root --pass_io $VM 'service NetworkManager stop; for if in `ls /sys/class/net|grep -v "lo\|vif"`; do ip l s $if down; done' + qvm-run -u root --pass_io $VM 'service NetworkManager stop; for if in `ls /sys/class/net|grep -v "lo\|vif"`; do ip l s $if down; done; rmmod ehci_hcd' done # Ignore exit status from netvm... return 0 @@ -25,7 +25,7 @@ suspend_net() resume_net() { for VM in `get_running_netvms`; do - qvm-run -u root --pass_io $VM "service NetworkManager start" + qvm-run -u root --pass_io $VM "modprobe ehci_hcd; service NetworkManager start" done # Ignore exit status from netvm... return 0 From 11ece41ccc63d93532babd562810bbfebfefba89 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Sat, 30 Jul 2011 11:21:50 +0200 Subject: [PATCH 09/29] version 1.6.13 --- version_dom0 | 2 +- version_vm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/version_dom0 b/version_dom0 index 9e7398a3..d4ca9156 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.6.12 +1.6.13 diff --git a/version_vm b/version_vm index 9e7398a3..d4ca9156 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.6.12 +1.6.13 From 5932699d8f229c10539a56d4c3b7647ed762cc16 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Sat, 30 Jul 2011 11:30:21 +0200 Subject: [PATCH 10/29] vm: Fix modules blacklisting --- rpm_spec/core-commonvm.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec index 791ea7bf..e4518ed7 100644 --- a/rpm_spec/core-commonvm.spec +++ b/rpm_spec/core-commonvm.spec @@ -215,7 +215,7 @@ mkdir -p /rw #grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 # Prevent unnecessary updates in VMs: -echo 'exclude = kernel, xorg-*' >> yum.conf +echo 'exclude = kernel, xorg-*' >> /etc/yum.conf %preun if [ "$1" = 0 ] ; then From a64ae2aedc42f1cb323e95e32c862681f1ac9a51 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Sat, 30 Jul 2011 11:31:20 +0200 Subject: [PATCH 11/29] version 1.6.14-vm --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index d4ca9156..5577648b 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.6.13 +1.6.14 From dfa2777272d68f717aa1a3c9ce55e5dc5e23c03c Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Sat, 30 Jul 2011 12:33:35 +0200 Subject: [PATCH 12/29] dom0: do not require NetworkManager --- rpm_spec/core-dom0.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec index 2feec85f..0921262d 100644 --- a/rpm_spec/core-dom0.spec +++ b/rpm_spec/core-dom0.spec @@ -40,7 +40,6 @@ BuildRequires: xen-devel Requires: python, xen-runtime, pciutils, python-inotify, python-daemon, kernel-qubes-dom0 Conflicts: qubes-gui-dom0 < 1.1.13 Requires: yum-plugin-post-transaction-actions -Requires: NetworkManager >= 0.8.1-1 Requires: xen >= 4.1.0-2 Requires: createrepo %define _builddir %(pwd)/dom0 From 634215ad8ed455004cb4916e729a737fd14ae7a8 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Sat, 30 Jul 2011 12:34:02 +0200 Subject: [PATCH 13/29] version 1.6.14 --- version_dom0 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_dom0 b/version_dom0 index d4ca9156..5577648b 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.6.13 +1.6.14 From 7a6ccae638e9036398eb52e5834d074736978896 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Sat, 30 Jul 2011 14:07:35 +0200 Subject: [PATCH 14/29] Dom0: set metadata_expiry=0 for qubes-dom0-cached repo This way the list of dowloaded packages (via qvm-dom0-upgrade) will be immediately seen by yum. --- dom0/qubes-cached.repo | 1 + 1 file changed, 1 insertion(+) diff --git a/dom0/qubes-cached.repo b/dom0/qubes-cached.repo index 948d4876..963a7ba5 100644 --- a/dom0/qubes-cached.repo +++ b/dom0/qubes-cached.repo @@ -3,3 +3,4 @@ name = Qubes OS Repository for Dom0 baseurl = file:///var/lib/qubes/updates gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-1-primary gpgcheck = 1 +metadata_expire = 0 From 03cd273183c53c79a468a4a478edfe44f3b1ad2c Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Sat, 30 Jul 2011 14:08:07 +0200 Subject: [PATCH 15/29] version 1.6.15-dom0 --- version_dom0 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_dom0 b/version_dom0 index 5577648b..7e84a788 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.6.14 +1.6.15 From f264b76a61007b5a89d0f29bc55ab189be90b793 Mon Sep 17 00:00:00 2001 From: Rafal Wojtczuk Date: Mon, 1 Aug 2011 11:14:35 +0200 Subject: [PATCH 16/29] qvm-backup: handle standaloneVM properly Do not attempt to copy apps.templates; copy apps/ instead. --- dom0/qvm-tools/qvm-backup | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/dom0/qvm-tools/qvm-backup b/dom0/qvm-tools/qvm-backup index c855a537..18abd56d 100755 --- a/dom0/qvm-tools/qvm-backup +++ b/dom0/qvm-tools/qvm-backup @@ -121,7 +121,12 @@ def main(): files_to_backup += file_to_backup(vm.icon_path) if vm.is_updateable(): - files_to_backup += file_to_backup(vm.dir_path + "/apps.templates") + if os.path.exists(vm.dir_path + "/apps.templates"): + # template + files_to_backup += file_to_backup(vm.dir_path + "/apps.templates") + else: + # standaloneVM + files_to_backup += file_to_backup(vm.dir_path + "/apps") if os.path.exists (vm.firewall_conf): files_to_backup += file_to_backup(vm.firewall_conf) if os.path.exists(vm.dir_path + '/whitelisted-appmenus.list'): From d2301ab125949d6ec3b5986fa9159bc112912982 Mon Sep 17 00:00:00 2001 From: Rafal Wojtczuk Date: Mon, 1 Aug 2011 15:06:01 +0200 Subject: [PATCH 17/29] qvm-prefs: allow on the fly netvm switch (#302) When changing netvm of a running vm, detach/attach eth0. Some functionality of qubes_core_netvm thus is duplicated in setup_ip. REQUIRES http://git.qubes-os.org/?p=rafal/xen.git;a=commit;h=42c72e6173586a807f8f153391e2e57352d362b1 --- common/setup_ip | 10 ++++++++++ dom0/qvm-tools/qvm-prefs | 19 ++++++++++++++++++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/common/setup_ip b/common/setup_ip index 61f197cf..79f389a7 100755 --- a/common/setup_ip +++ b/common/setup_ip @@ -10,4 +10,14 @@ if [ x$ip != x ]; then /sbin/route add default dev $INTERFACE echo "nameserver $gateway" > /etc/resolv.conf echo "nameserver $secondary_dns" >> /etc/resolv.conf + network=$(/usr/bin/xenstore-read qubes_netvm_network 2>/dev/null) + if [ "x$network" != "x" ]; then + gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway) + netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask) + secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns) + echo "NS1=$gateway" > /var/run/qubes/qubes_ns + echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns + /usr/lib/qubes/qubes_setup_dnat_to_ns + fi + fi diff --git a/dom0/qvm-tools/qvm-prefs b/dom0/qvm-tools/qvm-prefs index 51ebe251..3527ad7f 100755 --- a/dom0/qvm-tools/qvm-prefs +++ b/dom0/qvm-tools/qvm-prefs @@ -119,7 +119,24 @@ def set_netvm(vms, vm, args): vm.uses_default_netvm = False vm.netvm_vm = netvm_vm - + if not vm.is_running(): + return + if not vm.netvm_vm.is_running(): + subprocess.check_call(["qvm-start", vm.netvm_vm.name]) + subprocess.check_call(["xl", "network-detach", vm.name, "0"]) + domain_path="/local/domain/"+str(vm.get_xid()) + subprocess.check_call(["xenstore-write", + domain_path+"/qubes_ip", + vm.ip]) + subprocess.check_call(["xenstore-write", + domain_path+"/qubes_gateway", + vm.netvm_vm.gateway]) + subprocess.check_call(["xenstore-write", + domain_path+"/qubes_secondary_dns", + vm.netvm_vm.secondary_dns]) + subprocess.check_call(["xl", "network-attach", vm.name, "ip="+vm.ip, + "backend="+vm.netvm_vm.name, + "script=/etc/xen/scripts/vif-route-qubes"]) def set_updateable(vms, vm, args): if vm.is_updateable(): From 6537b47bafefe2025ca5e21579584f4a14714db7 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Mon, 1 Aug 2011 15:43:55 +0200 Subject: [PATCH 18/29] version 1.6.16-dom0 --- version_dom0 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_dom0 b/version_dom0 index 7e84a788..9494224a 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.6.15 +1.6.16 From 94c0f6c9d3d49556bd482980ea8046b389476fc4 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Mon, 1 Aug 2011 16:07:53 +0200 Subject: [PATCH 19/29] Dom0: use kpackagekit for updates GUI --- dom0/aux-tools/qubes-watch-updates.sh | 2 +- dom0/qvm-tools/qvm-dom0-upgrade | 2 +- rpm_spec/core-dom0.spec | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/dom0/aux-tools/qubes-watch-updates.sh b/dom0/aux-tools/qubes-watch-updates.sh index f1532bc6..378f4c34 100755 --- a/dom0/aux-tools/qubes-watch-updates.sh +++ b/dom0/aux-tools/qubes-watch-updates.sh @@ -52,7 +52,7 @@ while true; do # Yes, I know that it will block future checking for updates, # but it is intentional (to not flood user with updates # notification) - gpk-update-viewer + kpackagekit --updates fi fi done diff --git a/dom0/qvm-tools/qvm-dom0-upgrade b/dom0/qvm-tools/qvm-dom0-upgrade index 1f496f6a..27fb18b4 100755 --- a/dom0/qvm-tools/qvm-dom0-upgrade +++ b/dom0/qvm-tools/qvm-dom0-upgrade @@ -19,7 +19,7 @@ if [ $# -gt 0 ]; then elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then yum check-update if [ $? -eq 100 ]; then - gpk-update-viewer + kpackagekit --updates fi else echo "No updates avaliable" diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec index 0921262d..bf6a1f0a 100644 --- a/rpm_spec/core-dom0.spec +++ b/rpm_spec/core-dom0.spec @@ -42,6 +42,7 @@ Conflicts: qubes-gui-dom0 < 1.1.13 Requires: yum-plugin-post-transaction-actions Requires: xen >= 4.1.0-2 Requires: createrepo +Requires: kpackagekit %define _builddir %(pwd)/dom0 %description From d8261b4d9a4d50818983c9c6efbbe5bfbc391341 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Mon, 1 Aug 2011 16:08:32 +0200 Subject: [PATCH 20/29] version 1.6.17-dom0 --- version_dom0 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_dom0 b/version_dom0 index 9494224a..5f3f7155 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.6.16 +1.6.17 From 708263bec4882ea5a4d6f1f56cfa9d6f00e0806e Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 2 Aug 2011 13:01:42 +0200 Subject: [PATCH 21/29] Revert "Dom0: use kpackagekit for updates GUI" This reverts commit 94c0f6c9d3d49556bd482980ea8046b389476fc4. Kpackagekit is not so nice-behaving as gpk-update-viewer is, e.g. it complains there are is no network connectivity, and, perhaps as a result, doesn't display the list of avilable updates. --- dom0/aux-tools/qubes-watch-updates.sh | 2 +- dom0/qvm-tools/qvm-dom0-upgrade | 2 +- rpm_spec/core-dom0.spec | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/dom0/aux-tools/qubes-watch-updates.sh b/dom0/aux-tools/qubes-watch-updates.sh index 378f4c34..f1532bc6 100755 --- a/dom0/aux-tools/qubes-watch-updates.sh +++ b/dom0/aux-tools/qubes-watch-updates.sh @@ -52,7 +52,7 @@ while true; do # Yes, I know that it will block future checking for updates, # but it is intentional (to not flood user with updates # notification) - kpackagekit --updates + gpk-update-viewer fi fi done diff --git a/dom0/qvm-tools/qvm-dom0-upgrade b/dom0/qvm-tools/qvm-dom0-upgrade index 27fb18b4..1f496f6a 100755 --- a/dom0/qvm-tools/qvm-dom0-upgrade +++ b/dom0/qvm-tools/qvm-dom0-upgrade @@ -19,7 +19,7 @@ if [ $# -gt 0 ]; then elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then yum check-update if [ $? -eq 100 ]; then - kpackagekit --updates + gpk-update-viewer fi else echo "No updates avaliable" diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec index bf6a1f0a..0921262d 100644 --- a/rpm_spec/core-dom0.spec +++ b/rpm_spec/core-dom0.spec @@ -42,7 +42,6 @@ Conflicts: qubes-gui-dom0 < 1.1.13 Requires: yum-plugin-post-transaction-actions Requires: xen >= 4.1.0-2 Requires: createrepo -Requires: kpackagekit %define _builddir %(pwd)/dom0 %description From 9f15bfbeb32ee5efc1f7b7069ea6896f5b2e3166 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 2 Aug 2011 13:04:09 +0200 Subject: [PATCH 22/29] dom0: require gnome-packagekit --- rpm_spec/core-dom0.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec index 0921262d..b377ad81 100644 --- a/rpm_spec/core-dom0.spec +++ b/rpm_spec/core-dom0.spec @@ -42,6 +42,7 @@ Conflicts: qubes-gui-dom0 < 1.1.13 Requires: yum-plugin-post-transaction-actions Requires: xen >= 4.1.0-2 Requires: createrepo +Requires: gnome-packagekit %define _builddir %(pwd)/dom0 %description From 49bfe8921ca27d5b6e36576bc476306cac86757a Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 2 Aug 2011 14:12:03 +0200 Subject: [PATCH 23/29] dom0: qvm-sync-dom0-clock --- dom0/qvm-tools/qvm-sync-dom0-clock | 34 ++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 dom0/qvm-tools/qvm-sync-dom0-clock diff --git a/dom0/qvm-tools/qvm-sync-dom0-clock b/dom0/qvm-tools/qvm-sync-dom0-clock new file mode 100644 index 00000000..ab588c05 --- /dev/null +++ b/dom0/qvm-tools/qvm-sync-dom0-clock @@ -0,0 +1,34 @@ +#!/bin/sh + +UPDATES_VM=`qvm-get-updatevm` + +QREXEC_CLIENT=/usr/lib/qubes/qrexec_client + +if [ -z "$UPDATES_VM" ]; then + echo "UpdateVM not set, exiting!" >&2 + exit 1 +fi + +if ! xl domid "$UPDATES_VM" > /dev/null 2>&1; then + echo "UpdateVM not started, exiting!" + exit 1 +fi + +# dd is supposed to not allow memory exhaustion +# grep does basic sanity checking +# there seems to be no way to pass output of date +%s.%N to date, +# so we use human-readable format + +CURRENT_TIME="$($QREXEC_CLIENT -d $UPDATES_VM 'user:date -u' | + dd count=1 2>/dev/null | + grep '^[A-Za-z]* [A-Za-z]* [ 0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [A-Z]* [0-9][0-9][0-9][0-9]$'| + head -1)" + +if [ -n "$CURRENT_TIME" ] ; then + echo Syncing Dom0 clock: setting time "$CURRENT_TIME"... + sudo date -u -s "$CURRENT_TIME" ; + echo Done. +else + echo "Error while parsing the time obtained from the UpdateVM ($UPDATES_VM).." +fi + From 9c58c9757160bd22598bbda351806ed95608cdb7 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 2 Aug 2011 14:14:50 +0200 Subject: [PATCH 24/29] dom0: qubes-watch-updates & qvm-dom0-upgrade: use qvm-sync-dom0-clock --- dom0/aux-tools/qubes-watch-updates.sh | 7 +------ dom0/qvm-tools/qvm-dom0-upgrade | 4 ++++ 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/dom0/aux-tools/qubes-watch-updates.sh b/dom0/aux-tools/qubes-watch-updates.sh index f1532bc6..ecfda429 100755 --- a/dom0/aux-tools/qubes-watch-updates.sh +++ b/dom0/aux-tools/qubes-watch-updates.sh @@ -58,13 +58,8 @@ while true; do done # At the end synchronize clock + qvm-sync-dom0-clock - # dd is supposed to not allow memory exhaustion - # grep does basic sanity checking - # there seems to be no way to pass output of date +%s.%N to date, - # so we use human-readable format - CURRENT_TIME="$($QREXEC_CLIENT -d $UPDATES_VM 'user:date -u' | dd count=1 2>/dev/null | grep '^[A-Za-z]* [A-Za-z]* [0-9]* [0-9][0-9]:[0-9][0-9]:[0-9][0-9] UTC [0-9][0-9][0-9][0-9]$'|head -1)" - if [ -n "$CURRENT_TIME" ] ; then sudo date -u -s "$CURRENT_TIME" ; fi sleep $UPDATES_SLEEP done diff --git a/dom0/qvm-tools/qvm-dom0-upgrade b/dom0/qvm-tools/qvm-dom0-upgrade index 1f496f6a..6cb16922 100755 --- a/dom0/qvm-tools/qvm-dom0-upgrade +++ b/dom0/qvm-tools/qvm-dom0-upgrade @@ -6,6 +6,10 @@ if [ -z "$UPDATEVM" ]; then exit 1 fi +# We should ensure the clocks in Dom0 and UpdateVM are in sync +# becuase otherwise yum might complain about future timestamps +qvm-sync-dom0-clock + echo "Checking for dom0 updates" # Start VM if not running already From 3d0d9aa77d588e2e1c211f4bfb25a45e2de1e422 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 2 Aug 2011 14:16:03 +0200 Subject: [PATCH 25/29] version 1.6.18-dom0 --- version_dom0 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_dom0 b/version_dom0 index 5f3f7155..7a9d7939 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.6.17 +1.6.18 From ccda3d664238d5e36d256996f7390a85f169c651 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 2 Aug 2011 14:24:43 +0200 Subject: [PATCH 26/29] dom0: make qvm-sync-dom0-clock executable --- dom0/qvm-tools/qvm-sync-dom0-clock | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 dom0/qvm-tools/qvm-sync-dom0-clock diff --git a/dom0/qvm-tools/qvm-sync-dom0-clock b/dom0/qvm-tools/qvm-sync-dom0-clock old mode 100644 new mode 100755 From af196c01cc67240582ea22a38b07a6ee439f9212 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 2 Aug 2011 17:15:41 +0200 Subject: [PATCH 27/29] version 1.6.18 Actually, also update version_vm, as qvm-prefs requires this for dynamic NetVM changing. --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index 5577648b..7a9d7939 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.6.14 +1.6.18 From 357759147f844e5b2b75bc70778789a4d845e2c7 Mon Sep 17 00:00:00 2001 From: Rafal Wojtczuk Date: Tue, 2 Aug 2011 19:27:45 +0200 Subject: [PATCH 28/29] setup_ip: turn off sg Apparently vif frontend has broken sg implementation; we already worked around it in init.d script via ethtool; now do the same in setup_ip. It is relevant when attaching firewallvm to a different netvm on the fly. --- common/setup_ip | 1 + 1 file changed, 1 insertion(+) diff --git a/common/setup_ip b/common/setup_ip index 79f389a7..ad42cf46 100755 --- a/common/setup_ip +++ b/common/setup_ip @@ -8,6 +8,7 @@ if [ x$ip != x ]; then /sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255 /sbin/ifconfig $INTERFACE up /sbin/route add default dev $INTERFACE + /sbin/ethtool -K $INTERFACE sg off echo "nameserver $gateway" > /etc/resolv.conf echo "nameserver $secondary_dns" >> /etc/resolv.conf network=$(/usr/bin/xenstore-read qubes_netvm_network 2>/dev/null) From cc5e37df1112eb16e2ace041d1f0960e74b20cd3 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 2 Aug 2011 19:37:41 +0200 Subject: [PATCH 29/29] version 1.6.19-vm --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index 7a9d7939..e55f803c 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.6.18 +1.6.19